Tech News - Cybersecurity

According to a report by Reuters released later last month, The Indian Information Technology ministry has proposed rules that will compel major technology giants like Facebook, Whatsapp, Twitter etc to take down unlawful content affecting the “sovereignty and integrity of India”. According to the rules, this content will have to be taken down within 24 hours of being notified by a court or a government body. These rules are proposed with an aim to achieve the goal of ‘a safer social media’. The proposal drafted by the ministry is open for public comment until 31st January 2019; after which it will be adopted as law, either ‘with or without changes’. Now, Reuters report that sources familiar with the matter have revealed that the tech giants are all set to fight against these rules that regulate content in India. The country is one of the world’s biggest Internet market with about 300 million Facebook users, more than 200 million Whatsapp users, and millions of Twitter users as well. Reuters also reports that many U.S. and Indian lobby groups representing these top tech companies have started seeking legal opinions on the impact of these rules. They have also been advised by law firms on drafting objections against these rules to be filed with the IT ministry. According to the Ministry of Electronics and Information Technology, the draft Intermediary Guidelines will  “curb misuse of Social Media for mob lynching and other violence”. Last year, fake messages about child traffickers and kidnappers circulated through WhatsApp sparked mob lynchings in India. Mozilla Corp. called this proposal “a blunt and disproportionate” solution to regulating harmful online content. The company also added that these rules could lead to the problem of over censorship of online content. Joint secretary at India’s I.T. ministry, Gopalakrishnan S, said that the proposal would ‘make social media safer’ and ‘not curb freedom of speech’. Industrial executives and civil rights activists agree otherwise. They state that these rules could be used by the government of Prime Minister Narendra Modi to increase surveillance on the public, given that this proposal comes just ahead of India’s national election to be held in May. Sources also express their concern to Reuters that the rules will put the privacy of users at stake with round the clock monitoring of online content. This is because the rules require companies with more than 5 million Indian users to have a local office and a nodal officer for 24x7 coordination with law enforcement. The rules also mandate that on being questioned by the government, companies need to reveal the origin of a message; thus questioning user confidentiality on platforms like Whatsapp that uses end to end encryption to protect user privacy. Twitter was abuzz with mixed sentiments. While some did support the motive of banishing fake news and misinformation on the internet, others were concerned about targeted surveillance. https://twitter.com/akhileshsharma1/status/1081499612698083328 https://twitter.com/subhapa/status/1083240653272825856   https://twitter.com/subhapa/status/1083256991156453377 While the rules come just in time to prevent malicious actors from misusing social media platforms to spread fake news and sway away voters, we cannot help but notice the strict impositions that tech giants will have to face if this draft becomes law. You can head over to Reuters for the entire coverage of this news. US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports Australia passes a rushed anti-encryption bill “to make Australians safe”; experts find “dangerous loopholes” that compromise online privacy and safety Australia’s Assistance and Access (A&A) bill, popularly known as the anti-encryption law, opposed by many including the tech community  

According to a report by The Intercept, Ring, Amazon’s smart doorbell company gave access to its employees to watch live footage from cameras of the customers. As per the claim, Ring engineers and executives were allowed to watch the unfiltered footage of the users. Last year in February, Amazon acquired Ring for $1 billion. Amazon had been in the news last year for its data breach where the company leaked out the customers’ email addresses. Ring markets its cameras, mounted as doorbells as a security means that act like a privatized neighborhood watch while the user was away. The staff at Ring was able to gain access to the cameras inside as well as outside the home, depending on where the devices were positioned. Ring has been accused of mishandling videos collected by the smart device and failing to protect the footage with encryption. The Ring customer’s email address is enough to get access to cameras from user’s home. According to The Information and The Intercept, Ring’s video annotation team would watch camera footage and tag objects, humans and other things in the video clips so that its object recognition software could better itself. In 2016, Ring provided its Ukraine-based research and development team unfettered access to a folder on Amazon’s S3 cloud storage service that had unencrypted videos created by Ring cameras. Ring’s Neighbors app, that lets users receive real-time crime and safety alerts, doesn’t include any mention of image or facial recognition in its description. Ring’s terms of service and its privacy policy don’t mention any details about the manual video annotation being conducted by humans. Ring tried to justify that the videos weren’t shared by the company. Ring responded to this post stating, “We take the privacy and security of our customers’ personal information extremely seriously. In order to improve our service, we view and annotate certain Ring video recordings. These recordings are sourced exclusively from publicly shared Ring videos from the Neighbors app (in accordance with our terms of service), and from a small fraction of Ring users who have provided their explicit written consent to allow us to access and utilize their videos for such purposes. Ring employees do not have access to livestreams from Ring products. We have strict policies in place for all our team members. We implement systems to restrict and audit access to information. We hold our team members to a high ethical standard and anyone in violation of our policies faces discipline, including termination and potential legal and criminal penalties. In addition, we have zero tolerance for abuse of our systems and if we find bad actors who have engaged in this behavior, we will take swift action against them.” https://twitter.com/briankrebs/status/1065219981833617408 Because of the privacy concerns, users are now skeptical about using Ring’s smart doorbell. One comment on HackerNews read, “The ring doorbell is installed at your front door. It records pretty much all movement to and from your house. It records audio at the doorstep, so if you're having a conversation with anyone at your doorstep, that gets recorded too.” Another user commented, “If some rando gets my ring doorbell footage and figures out where I live, that's hard to undo. If someone steals my stuff and gets away with it because I didn't have a ring doorbell, that's annoying but much easier to recover from. We are talking about the difference between an insurance claim and moving house.” According to a few users, this device is prone to DDOS attacks. One of the users commented, “Aside from the 700 person team given access to live video feeds and customer databases, the lack of proper security of this product makes it a PRIME target for DDOS attacks that could cripple infrastructure.” But few users are in the favor of such devices as they find them safe and convenient to use. One user commented, “These devices are extremely popular in my neighborhood, and cost/convenience is the only thing keeping them from being universal.” Another user commented, “I'd say, yes. I've been able to watch that many people see the ring (they see the camera), and they back right off the porch. It's been awesome in this respect, people simply ring it less.” Some users believe such surveillance devices shouldn’t use cloud but instead have data stored locally. Others are now looking out for alternatives like Xiaomi Dafang camera, RCA doorbell camera, and Blue Iris. This news surely makes one reflect on how home appliances could get monitored by companies or hackers and personal data might get misused. Note: We have edited this news to include the response from the Ring team to our post. AWS introduces Amazon DocumentDB featuring compatibility with MongoDB, scalability and much more Amazon confirms plan to sell a HIPAA eligible software, Amazon Comprehend Medical, which will mine medical records of the patients US government privately advised by top Amazon executive on web portal worth billions to the Amazon; The Guardian reports

FireEye, a US cybersecurity firm, have disclosed details about their DNS hijacking campaign. In their recent report, the company shared that they have identified huge DNS hijacking affecting multiple domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. FireEye analysts believe an Iranian-based group is the source behind these attacks, although they do not have a definitive proof. The analysts also said that “they have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker”. The FireEye Intelligence team has also identified an access from Iranian IPs to machines used to intercept, record and forward network traffic. The team also mentions that these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors. The FireEye report highlights three different techniques used to conduct these attacks. Techniques to manipulate the DNS records and enable victim compromises 1. Altering DNS A Records Source: FireEye Here the attackers first logged into a proxy box used to conduct non-attributed browsing and as a jumpbox to other infrastructure. The attacker then logs into the DNS provider’s administration panel, utilising previously compromised credentials. Attackers change the DNS records for victim’s mail server in order to redirect it to their own mail server. They have used Let’s Encrypt certificates to support HTTPS traffic, and a load balancer to redirect victims back to the real email server after they've collected login credentials from victims on their shadow server. The username, password and domain credentials are harvested and stored. 2. Altering DNS NS Records Source: FireEye This technique is the same as the previous one. However, here the attacker exploits a previously compromised registrar or ccTLD. 3. A DNS Redirector Source: FireEye This technique is a conjunction of the previous two. The DNS Redirector is an attacker operations box which responds to DNS requests. Here, if the domain is from inside the company, OP2 responds with an attacker-controlled IP address, and the user is re-directed to the attacker-controlled infrastructure. Analysts said that a large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates. These include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities. According to FireEye report, “While the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim's domain registrar account.” To know more about this news in detail, read the FireEye report. FireEye reports North Korean state sponsored hacking group, APT38 is targeting financial institutions Reddit posts an update to the FireEye’s report on suspected Iranian influence operation Justice Department’s indictment report claims Chinese hackersbreached business and government network  

In a blog post yesterday, Google announced that their public DNS will now support transport layer security (TLS). Google DNS Google’s public Domain Name Service (DNS) is the world’s largest address resolver. The service allows anyone using it to convert a human readable domain name into addresses used by browsers. Similar to search results, domains visited by DNS can also expose sensitive information. With DNS-over-TLS, users can add security to queries between devices and Google public DNS. Google DNS-over-TLS The need for security from forged websites and surveillance has grown over the years. The DNS-over-TLS protocol used contains a standard way to secure and maintain privacy of DNS traffic between users and the resolvers. Users can secure connections to Google Public DNS with TLS. It is the same technology that makes HTTPS connections secure. The DNS-over-LTS specifications are implemented according to the RFC 7766 recommendations. Doing so minimizes the overhead of using TLS, supports TLS 1.3, TCP fast open, and pipelining multiple queries over a single connection. This is deployed Google’s own infrastructure which they claim provides reliable and scalable management for the DNS-over-TLS connections. Enabling DNS-over-TLS connections DNS-over-TLS can be used by Android 9 pie users. Linux users can use the stubby resolver to communicate with the DNS-over-TLS service. You can create an issue if you are facing one. A comment from Hacker news says: “This is a DNS provided by Google, a company that earns money by analysing user data. If you want privacy, run your own DNS.” But Google has stated in their guides that they do not store any personally identifiable information long term. Cloudflare’s 1.1.1.1 DNS service is now available as a mobile app for iOS and Andro Root Zone KSK (Key Sign Key) Rollover to resolve DNS queries was successfully completed Mozilla’s new Firefox DNS security updates spark privacy hue and cry

ProtonMail launched an online resource site yesterday, called "GDPR.eu" that offers complete compliance guide to General data protection regulation (GDPR) law by EU. GDPR is considered the toughest privacy and security law in the world. The law imposes obligations onto organizations that collect user’s personal data across Europe. The regulation includes levying fines of tens of millions of euros against organizations who violate its rules of privacy and security. The GDPR compliance guide offers detailed information about the GDPR law and answers questions regarding “how to write a GDPR-compliant privacy notice”, “how does GDPR affect email”, “what is GDPR data protection office (DPO)”, and so on. Let’s have a look at some of the key topics covered under the GDPR compliance guide. GDPR-compliant privacy notice A GDPR privacy notice refers to a public document from an organization that gives details on how they process a user’s personal data and how they apply GDPR’s data protection principles. The information that needs to be mentioned in the privacy notice varies depending on two factors: a) whether an organization has collected its data directly from an individual or b) whether it's received via the third party. As per the GDPR law, organizations need to provide their users with a privacy notice that is: concise, transparent, intelligible, and is presented in an easily accessible form. written in clear and plain language, especially for information that is addressed specifically to a child. delivered properly and in a timely manner. provided free of charge. The guide also mentions some of the best practices that should be followed when writing a privacy notice. It mentions that phrases such as “we may use your personal data to develop services” or “we may use your personal data for research purposes” should not be used in a public notice as they don’t give a clear picture on how an organization intends to use that data. Instead, using phrases such as “we will retain your shopping history and use details of the products that have previously purchased to make better suggestions to you for other products” is much better and informative. GDPR email compliance The GPR compliance guide provides information on how GDPR affects email. GDPR compliance guide states that GDPR does not put a ban on email marketing by any means, instead it encourages organizations to promote effective email-marketing. “A good marketing email should ideally provide value to the recipient and be something they want to receive anyway. What the GDPR does is clarify the terms of consent, requiring organizations to ask for an affirmative opt-in to be able to send communications. And you must also make it easy for people to change their mind and opt-out”, states the guide. GDPR guide states another aspect of emails i.e. email security.  As per Article 5(f) of GDPR, it is the responsibility of an organization to protect personal data of the users against accidental loss, and destruction or damage, by implementing the appropriate technical or organizational steps. Moreover, the guide also states that in order to avoid any liability, it’s important for organizations to educate their team regarding email safety. For instance, implementing basic steps such as two-factor authentication is a good initiative toward protecting user data and complying with the GDPR. GPDR Data Protection Officer (DPO) GDPR, under certain conditions, states that organizations should appoint a Data Protection Officer that can oversee an organization’s GDPR compliance. The Data Protection Officer (DPO) should possess expert knowledge when it comes to data protection law and practices. Article 38 in GDPR states that no other employees within an organization can issue any instructions to the DPO when it comes to the performance of their tasks. DPOs have wide-ranging responsibilities and the position is protected from any potential interference from other employees within an organization. Also, DPO only reports to the highest level of management at the organization. GDPR does not list specific qualifications for DPO. However, it does mention that the level of knowledge and experience required for appointing an organization’s DPO should be determined based on the complexity of the data processing operations. The GDPR compliance guide mentions three criteria that need to be met by an organization for it to appoint a DPO: Public authority: the processing of personal data gets handled by a public body or public authorities within an organization. Large scale and regular monitoring: the processing of personal user data is the main activity of an organization who regularly and systematically observes user data on a large scale. Large-scale special data categories: the processing of specific “special” data is carried out on a large scale within these organizations. Apart from these major guidelines, GDPR compliance guide also offers an overview of GDPR, GDPR compliance checklist, GDPR forms, and templates, along with the latest news and updates regarding GDPR. Check out the complete GDPR compliance guide here. EU to sponsor bug bounty programs for 14 open source projects from January 2019 Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved Tim Cook talks about privacy, supports GDPR for USA at ICDPPC, ex-FB security chief calls him out

Yesterday there were discussions on Twitter about an Ethereum classic 51% attack which was a possible chain reorganization or double spend attack. However, Ethereum developers denied it and have shed some light on the incident. Ethereum classic is the original version of Ethereum which suffered a major hack in 2016. The developers then forked that and used it to create a new version where the hack was fixed. This new version was called Ethereum. https://twitter.com/eth_classic/status/1082045223310483457 A 51% attack rate is when one or more parties have more than 50% of compute power (hash rate) in the network. Such a party could mine a large amount of block in the network, double spend coins and reward themselves unfairly. Double spending is exactly what it sounds like, paying the same amount twice. In a chain reorganization, single or more miners have significantly more hashrate than others in the network. Such a miner can define a new transaction history on the network. Etherchain Tweeted that there was a successful 51% attack on Ethereum classic. https://twitter.com/etherchain_org/status/1082329360948969472 Cryptocurrency coin exchange Coinbase published a post noting the same: “On 1/5/2019, Coinbase detected a deep chain reorganization of the Ethereum Classic blockchain that included a double spend. In order to protect customer funds, we immediately paused movements of these funds on the ETC blockchain. Subsequent to this event, we detected 8 additional reorganizations that included double spends, totaling 88,500 ETC (~$460,000)”. Amidst the confusion, fear and lowering ETC value, the Ethereum team has responded to the incident. The latest update from Ethereum classic official sources contradict the Coinbase report. They said that this activity was a selfish mine and not a 51% attack. ‘No double spends were detected’. They said that an ASIC card manufacturer, Linzhi was testing their new ethash machines which had a power of 1,400/Mh. The tweet seems to be removed but the contents stated: Regarding the recent mining events. We may have an idea of where the hashrate came from. ASIC manufacturer Linzhi confirmed testing of new 1,400/Mh ethash machines #projectLavaSnow – Most likely selfish mining (Not 51% attack) – Double spends not detected (Miner dumped blocks) A more recent tweet from Ethereum Classic states that both angles of coinbase and ASIC card may be true. https://twitter.com/eth_classic/status/1082392663314202624 Currently, ETC is 18th on the market cap with a market capitalization of ~$540 million. Ethereum Constantinople hard fork to move Ethereum from PoW (proof-of-work) to PoS (proof-of-stake) model Origin DApp: A decentralized marketplace on Ethereum mainnet aims to disrupt gig economy platforms like Airbnb and Uber Vitalik Buterin’s new consensus algorithm to make Ethereum 99% fault tolerant

The National Security Agency (NSA) will be publicly releasing their reverse engineering framework called GHIDRA, for the first time at the RSA Conference (Rivest, Shamir, and Adleman security conference) to be held in March 2019. According to the official announcement on the RSA blog, the framework will be introduced by NSA’s Senior Advisor Robert Joyce. According to NSA, GHIDRA has ‘an interactive GUI capability that enables reverse engineers to leverage an integrated set of features that run on a variety of platforms including Windows, Mac O, and LINUX and supports a variety of processor instruction sets’. This is what we know about GHIDRA so far: In March 2017, WikiLeaks leaked CIA Vault 7 documents which highlighted the various tools utilized by the CIA. The leaked documents included numerous references to a reverse engineering tool called ‘GHIDRA’ that was developed by the NSA at the start of the 2000s. For the past few years GHIDRA has been shared with other US government agencies with cyber teams that look at the inner workings of malware strains or suspicious software. GHIDRA is a ‘disassembler’ that breaks down software into its assembly code so that humans can analyze malware and other suspected malicious software. GHIDRA is built in Java, that runs on Linux, Mac and Windows operating systems and has a graphical user interface. With GHIDRA, developers can analyze the binaries of all major operating systems, including mobile platforms like Android and iOS. NSA is expected to add GHIDRA on NSA's code repository hosted by Github where the spy agency has released several other open source programs. Some people who are familiar with this tool and have shared opinions on HackerNews, Reddit, and Twitter. They have compared GHIDRA with IDA, another well-known reverse engineering tool. Source: HackerNews Head over to RSA’s official blog to check out the announcement. Alternatively, check out Siliconangle for more insights on this news. NSA’s EternalBlue leak leads to 459% rise in illicit crypto mining, Cyber Threat Alliance report NSA researchers present security improvements for Zephyr and Fucshia at Linux Security Summit 2018

A team of researchers at the University of Maryland released unCaptcha2 last week, an updated version of their tool Uncaptcha that defeated Google's reCAPTCHA audio challenge with 85.15% accuracy in 2017. Google’s Audio challenge is aimed at solving reCAPTCHA's accessibility problem for visually challenged people who can’t see where to "tick the box" to prove that they’re a human and not a robot. Hence, they’re offered an option to listen to the audio and enter what they hear as a response. UnCaptcha, which was released in 2017, managed to pass the reCAPTCHA audio system by using an approach that involved downloading the audio and segmenting it. These segments were then uploaded to multiple speech-to-text services, which in turn would convert the message.                                                            unCaptcha Finally, the response obtained would be typed into the reCAPTCHA form to solve the challenge. However, after the attack in 2017, Google updated the reCAPTCHA form by introducing changes such as improved browser automation detection and using spoken phrases instead of digits for reCAPTCHA. These changes managed to successfully protect reCAPTCHA from the 2017 unCaptcha attack but failed to protect it from the new unCaptcha2. “As of June 2018, these challenges have been solved. The reCAPTCHA team..is..fully aware of this attack. The team has allowed us to release the code. The code now only needs to make a single request to a free, publicly available speech to text API (by Google) to achieve around 90% accuracy over all the captchas”, states the team. UnCaptcha2 makes use of a screen clicker that helps it move to certain pixels on the screen and move around the webpage as a human would. However, this method is not very robust and still needs more working. Also, unCaptcha2 uses a different approach than the first version and no longer requires the use of multiple speech-to-text engines as well as the segmentation approach. UnCaptcha2 involves navigating to Google's ReCaptcha Demo site, navigating to audio challenge for reCAPTCHA and then downloading the audio challenge. After this step, the audio challenge is submitted to Speech To Text services. Finally, the response obtained is typed in and submitted to solve the challenge. “unCaptcha2, like the original version, is meant to be a proof of concept. As Google updates its service, this repository will not be updated. As a result, it is not expected to work in the future, and is likely to break at any time,” state the researchers. Google launches score-based reCAPTCHA v3 to filter abusive traffic on websites Google’s secret Operating System ‘Fuchsia’ will run Android Applications: 9to5Google Report Google Cloud releases a beta version of SparkR job types in Cloud Dataproc

Last month, researchers from USA, China, and Hong Kong published a paper in collaboration, titled as ‘Beware of Your Screen: Anonymous Fingerprinting of Device Screens for Off-line Protection’. This paper, presented at The 34th Annual Computer Security Applications Conference, highlights a new technique to enhance the security protection of QR-based payment, without undermining the payer’s privacy. The technique used by the researchers takes advantage of the unique luminance unevenness of a payer’s screen that is introduced by the imperfect manufacture process. The paper also presents a way to ensure that even when the payer’s digital wallet has compromised, an unauthorized payment cannot succeed. Besides this, the paper also takes into consideration the privacy issues that may arise if the screen’s features were naively deployed to authenticate the payer; as it could be misused by the vendors to link one’s different purchases together. To tackle this, the researchers have presented ‘AnonPrint’ that obfuscates the phone screen during each payment transaction. QR-code mobile payment systems are used by almost everyone today, including banks, service providers, and other commercial organizations. These payment systems are deployed solely using software without any hardware support. The paper highlights that in the absence of hardware support, a users wallet ‘can be vulnerable to an Os-level adversary’ which could be misused to generate a user’s payment tokens. To overcome this adversary, the researchers have demonstrated a method as a second factor authentication mechanism in the form of the physical features of a mobile's screen. The research takes advantage of the taried luminance levels of the pixels on the screen (which occurs due to the flaws in the manufacturing process) and can be used to uniquely characterize the screen. An advantage of this method is that, since the adversary cannot observe the physical features of the screen the physical fingerprint cannot be stolen even when the OS is fully compromised. Also, this second-factor authentication is fool-proof even when the secret key for generating QR codes is stolen or when a user’s phone has been fully compromised by the adversary. How is Anonymous screen Fingerprinting carried out? In order to enable service providers to utilize the screen to enhance security protection as well as preserve users privacy, the researchers have designed a new technique called ‘AnonPrint’. AnonPrint randomly generates visual one- time masks which is a pixel pattern with dots set to various brightness levels to obfuscate the distinguishable features of a user’s screen. The technique randomly creates a smooth textured pattern for each transaction (this pattern is also known to the provider), and displays a pattern as the background of QR code to disarrange the brightness of a screen, in line with the screen’s real-world physical properties i.e. the neighboring dots are correlated and the levels of brightness change smoothly. This will hide the physical properties of a screen, and the party that knows the mask, like the payment service provider, can verify whether the features collected from the protected screen are related to the authorized device or not. Here is an overview of how the system works: First, the user needs to submit the original screen fingerprint of their device to the payment provider when they open an account. The wallet app is modified to synchronize a secret random seed with the provider. This seed could be achieved through hashing the time for the payment together with a shared secret using a cryptographic hash function (e.g., SHA-256). This duo then bootstraps a pseudo random number generator (PRNG) each time when the wallet app needs to provide each party a sequence of random numbers for mask generation. The mask is displayed as the background for displaying the QR payment token, from which the POS scanner extracts the obfuscated screen fingerprint in addition to decoding the QR code, finally passing the information to the payment provider. The provider retrieves the shared secret and the original screen fingerprint using the claimed ID. Next, the same mask used by the payer is re-constructed and used with the with the original ngerprint as inputs for synthesizing a new obfuscated fingerprint. This is compared with the fingerprint  from the payer’s screen and the transaction can be approved the similarity of these two prints is above a certain threshold and other security checks are completed. How does AnonPrint obfuscate the screen? AnonPrint creates a ‘mask’, to hide the screen’s hardware fingerprint for every payment transaction. Such a mask is automatically generated by a digital wallet app, seeding a PRNG with a random number synchronized with the payment service provider. To obfuscate this hardware fingerprint and to maintain a screen’s realistic look, the researchers performed the following steps: (1) They first performed a ‘Random zone selection’, in which they produced a 180*108 pure white (with all pixels set to 255) image as the background and randomly selected from the image 20 mutually disjoint zones, each of size 16*16. (2) Next, came the ‘Dot darkening’ step.  From each zone, they randomly chose 3 pixels and set their pixel value to a random number between 0 to 100. (3) The team then performed Smoothing in which for every zone, AnonPrint blurs it using Gaussian Smoothing that , “smoothes out” the dark color of the selected pixels to its neighboring pixels. (4) Finally, they performed ‘Resizing’ where the mask image is resized and scaled to a 1800*1080 matrix whose values range from 220 to 255. The size of this image is iden- tical to the original fingerprint. Each user needs to register to the payment provider with an image of their unprotected screen when all pixels are set to the maximum gray-scale. During the payment, an image of a masked screen is used to authenticate the payer done on the payment service provider’s side by reconstructing the mask using the shared secret, and then obfuscate the fingerprint for comparing with the image from the vendor. Results and Discussion The researchers conducted various experiments in which they collected 100 smartphones- including iPhone, Samsung and many others.  All 100 phones were used to understand the effectiveness of the screen fingerprint in identifying the device. 50 phones were used to evaluate the anonymity protection and the effectiveness of AnonPrint separately.  iPhone 6s was used to capture images for screen fingerprinting. They implemented an Android application to display QR code and obfuscate a screen using masks derived from given random numbers for anonymous payment. To collect the fingerprints from each device, they displayed a QR code without obfuscation, and then continue to show 5 different masks on the screen with the same code. Each time, they took a picture from the screen and used the image to extract fingerprints. Their experiment concluded that for 88.75% of transactions, the vendors can accurately identify other transactions from the same customer, by simply looking at the features of their screens. Their experiment also proved that Anon Print indeed breaks vendors’ capability of linking screen fingerprint and that the overhead introduced by AnonPrint (only 50ms) is small for the offline payment. Fingerprint verification takes 2.4 seconds on average to be completed. You can head over to the paper for a detailed explanation on every experiment conducted to check fingerprint accuracy, anonymity protection, fingerprint verification and much more. The research results look promising and it will be interesting to see some potential implementation in the QR-payment systems of today. Head over to the paper for more insights on this news. NeurIPS 2018 paper: DeepMind researchers explore autoregressive discrete autoencoders (ADAs) to model music in raw audio at scale Cyber security researcher withdraws public talk on hacking Apple’s Face ID from Black Hat Conference 2019: Reuters report Stanford researchers introduce DeepSolar, a deep learning framework that mapped every solar panel in the US  

A China-based cyber security researcher, Wish Wu, canceled his briefing on how he could crack biometric facial recognition on Apple Inc iPhones to be held at the Black Hat Asia hacking conference 2019. In a message to Reuters on Twitter, Wu said that his talk entitled 'Bypass Strong Face ID: Everyone Can Deceive Depth and IR Camera and Algorithms' was called as ‘misleading’ by his employer, and he was requested to withdraw his briefing from Black Hat- one of the most prestigious cybersecurity conferences- to be held at Singapore this year. In late December, Black Hat withdrew an abstract of the talk from their website after Wu’s employer- Ant Financial- uncovered problems with the research. The abstract stated that Face ID could be hacked with an image printed on an ordinary black-and-white printer and some tape. Ant Financial said in a statement that “'The research on the face ID verification mechanism is incomplete and would be misleading if presented”. Wu told Reuters that 'In order to ensure the credibility and maturity of the research results, we decided to cancel the speech’. He further added that he agreed with the decision to withdraw his talk, saying he was only able to reproduce hacks on iPhone X under certain conditions, but that it did not work with iPhone XS and XS Max. Black Hat conference spokeswoman Kimberly Samra said, “Black Hat accepted the talk after believing the hack could be replicated based on the materials provided by the researcher”. According to Apple, there is a one in 1 million chance a random person could unlock a Face ID, and 1 in 50,000 chance that would happen with the iPhone's fingerprint sensor. Thus, the idea that Face ID could be defeated or rather hacked into is disturbing. Especially because Face ID is used to lock down numerous functions on millions of iPhones which include banking apps, healthcare apps, emails, text messages, photos and much more. If fallen into the wrong hands, the hack could have damaging consequences and possibly compromise sensitive information. Head over to Reuters for more insights on this news. 7 Black Hat USA 2018 conference cybersecurity training highlights: Hardware attacks, IO campaigns, Threat Hunting, Fuzzing, and more Microsoft calls on governments to regulate Facial recognition tech now, before it is too late DC Airport nabs first imposter using its newly deployed facial recognition security system

On Wednesday, a hacker duo hijacked thousands of Google’s Chromecast streaming adapters, Google Home smart speakers and smart TVs with built-in Chromecast technology to play a video urging users to subscribe to Swedish Youtuber ‘PewDiePie's’ Youtube channel. The hacked smart TV’s also displayed a message on the similar lines. The hackers behind this hacking campaign --codenamed CastHack-- are known on Twitter as TheHackerGiraffe and j3ws3r. The attack took advantage of badly configured routers to find streaming devices exposed to the public internet. Once found, the hackers renamed the device’s Wi-Fi name, and then played a PewDiePie Youtube video. A website detailing the hack lists the statistics on the number of devices forced to play the video, total renamed devices, total exposed devices and much more. The website shared some of the information the hackers had access to, including “what WIFI your Chromecast/Google Home is connected to, what bluetooth devices it has paired to, how long it’s been on, what WiFi networks your device remembers, what alarms you have set, and much more.” However, they state that “We’re only trying to protect you and inform you of this before someone takes real advantage of it. Imagine the consequences of having access to the information above.” They further added that  “We want to help you, and also our favorite Youtubers (mostly PewDiePie)’. According to Variety, the attack was part of a marketing campaign- “Subscribe to PewDiePie”-that fans of the Swedish video-game streamer and vlogger have been engaged in since late last year. The goal of that campaign is to defeat the Indian Youtube channel T-Series for the title of ‘Youtube's most popular channel’ by gaining more subscribers than the latter. How did the attack take place? The attack exploited a Chromecast bug allegedly ignored by Google for almost five years. According to ZDNet, the ongoing CastHack takes advantage of users who use incorrectly configured routers that have the UPnP (Universal Plug'n'Play) service enabled, a service which forwards specific ports from the internal network on the Internet. The ports are 8008, 8009, and 8443, normally used by smart TVs, Chromecasts, and Google Home for various management functions. The streaming devices expose these ports on internal networks, where users can operate them by sending commands from their smartphones or computers to the devices for remote management purposes. Routers with incorrectly configured UPnP settings make these ports available on the internet. This allowed FriendlyH4xx0r to scan the entire internet for devices with these ports exposed. Once devices are identified, the hacker said another script renames the devices to "HACKED_SUB2PEWDS_#" and then tries to autoplay a video (now taken down by Youtube) to promote PewDiePie’s channel. A Google spokesperson, told Variety via email: “To restrict the ability for external videos to be played on their devices, users can turn off Universal Plug and Play (UPnP). Please note that turning off UPnP may disable some devices (e.g. printers, game consoles, etc.) that depend on it for local device discovery.” This is the second time that HackerGiraffe and j3ws3r have teamed up to promote PewDiePie’s channel. Both said they were behind a hack in November that forced printers around the world to print out sheets of paper telling people to subscribe to PewDiePie. https://twitter.com/maddybenavente1/status/1068017390246600704 You can head over to The Verge for more insights on this news. How IRA hacked American democracy using social media and meme warfare to promote disinformation and polarization: A new report to Senate Intelligence Committee 16 year old hacked into Apple’s servers, accessed ‘extremely secure’ customer accounts for over a year undetected Quora Hacked: Almost a 100 Million users’ data compromised!

Privacy International, a UK registered charity firm that promotes the right to privacy, released a report last week, that shows how popular Android apps (Qibla Connect, Period Tracker Clue, Indeed, My talking tom, etc) share user data with Facebook, despite not having a Facebook account. The report raises questions about transparency and use of important app data by Facebook. As per the report, Facebook uses Facebook Business tools to routinely track users, non-users and logged-out users outside its platform. App developers use Facebook software development Kit (SDK) to share data with Facebook. To track these data sharing practices, Privacy International used “mitmproxy” (interactive HTTPS proxy), a free and open source software tool to analyze the data sent to Facebook via 34 apps on Android. All of these apps were put to test between August and December 2018. The latest re-test was done between 3rd and 11th of December 2018. Findings from the analysis The report states that at least 61% of tested apps transferred data to Facebook the moment a user opened the app. It doesn’t matter whether a person has a Facebook account or not, or whether they are logged into Facebook or not. Privacy International found out that the data that gets transmitted first is “events data”. This kind of data tells Facebook that the Facebook SDK is initialized by transmitting data like "App installed” and "SDK Initialized". This data gives information that a specific app is being used by a user, every single time that user opens an app. It was found that apps that automatically transfer the data to Facebook share this data together with a unique identifier i.e. the Google advertising ID (AAID). These advertising IDs enable advertisers to link data about user behavior from different apps into a “comprehensive profile”, i.e. a clear and intimate picture of a person’s activities, interests, behaviors, and routines. This comprehensive profile can also reveal information about a person’s health or religion. The analysis also revealed that event data such as "App installed”, "SDK Initialized" and “Deactivate app” offer a detailed insight into the behavior of users and the apps that they use. Moreover, the report also revealed that some of the apps send data to Facebook that is highly detailed and sometimes sensitive. This data is often related to people who are either logged out of Facebook and even those with no Facebook account. The report states that Facebook’s Cookies Policy describes two ways where people with no Facebook account can control Facebook's use of cookies to show them ads. Privacy International analyzed both the ways and found out that it didn’t have much impact on the data sharing process. The report also mentions that the default implementation of the Facebook SDK automatically transmits event data to Facebook due to which many developers have filed bug reports, over the concerns that Facebook SDK shares user data without consent. After May 25th, 2018, when GDPR came into force, Facebook came out with a voluntary feature that enables developers to delay collecting logged events until they acquire user consent. Facebook responded to the report in an email saying that “Prior to our introduction of the ‘delay’ option, developers had the ability to disable transmission of automatic event logging data, except for a signal that the SDK had been initialized. Following the June change to our SDK, we also removed the signal that the SDK was initialized for developers that disabled automatic event logging.” However, Private International mentions that before this voluntary feature was released, many apps that used Facebook SDK in the Android ecosystem could not prevent or delay the SDK from automatically collecting and sharing that the SDK has been initialized. This data, in turn, informs Facebook about a user using a particular app, when they use it and for how long. “Without any further transparency from Facebook, it is impossible to know for certain, how the data that we have described in this report is being used. Our findings also raise a number of legal questions”, says Private International. For more information, check out the official Private International report. ProPublica shares learnings of its Facebook Political Ad Collector project Facebook halted its project ‘Common Ground’ after Joel Kaplan, VP, public policy, raised concerns over potential bias allegations NYT says Facebook has been disclosing personal data to Amazon, Microsoft, Apple and other tech giants; Facebook denies claims with obfuscating press release

A cyber-attack into one of United States’ biggest media groups, the Tribune Publishing, caused major printing and delivery disruptions for several major US newspapers over the weekend. This cyber attack affected the printing centers operated by the publishing firm and also its former property, the Los Angeles Times. The attack that took place on Saturday seemed to have originated from outside the United States, according to the Los Angeles Times report. This led to the distribution delays in the Saturday edition of the Times, the Tribune, the Sun and other newspapers that share a production platform in Los Angeles. According to The New York Times, “a news article in The Los Angeles Times, and one outside computer expert said the attack shared characteristics with a form of ransomware called Ryuk, which was used to target a North Carolina water utility in October and other critical infrastructure.” According to The Los Angeles Times report, “The Times and the San Diego paper became aware of the problem near midnight on Thursday. Programmers worked to isolate the bug, which Tribune Publishing identified as a malware attack, but at every turn, the programmers ran into additional issues trying to access a myriad of files, including advertisements that needed to be added to the pages or paid obituaries.” “After identifying the server outage as a virus, technology teams made progress on Friday quarantining it and bringing back servers, but some of their security patches didn’t hold and the virus began to reinfect the network, impacting a series of servers used for news production and manufacturing processes”, the report added. By late Friday, the attack was hindering the transmission of pages from offices across Southern California to printing presses as publication deadlines approached. Tribune Publishing said in a statement on Saturday, “the personal data of our subscribers, online users, and advertising clients have not been compromised. We apologize for any inconvenience and thank our readers and advertising partners for their patience as we investigate the situation.” It was unclear whether company officials have been in contact with law enforcement regarding the suspected attack. Katie Waldman, a spokeswoman for the Department of Homeland Security, said “we are aware of reports of a potential cyber incident affecting several news outlets, and are working with our government and industry partners to better understand the situation”, the Los Angeles Times reported. Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group, said, “usually when someone tries to disrupt a significant digital resource like a newspaper, you're looking at an experienced and sophisticated hacker”. She added that the holidays are "a well known time for mischief" by digital troublemakers because organizations are more thinly staffed. Read more about this news on The Los Angeles Times’ complete report. Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity Anatomy of a Crypto Ransomware Sennheiser opens up about its major blunder that let hackers easily carry out man-in-the-middle attacks

CenturyLink, one of the largest American telecommunications provider, suffered a major outage  that lasted for almost two days, affecting internet, television, and 911 services across the US. The outage started at 17:18 UTC on Thursday and got resolved at 19:49 UTC on Saturday, as per the Century Link’s status page. CenturyLink team was working on fixing the issue and also updated its customers on Twitter about the outage: https://twitter.com/CenturyLink/status/1078350118938730496 https://twitter.com/CenturyLink/status/1078418494427938816 https://twitter.com/CenturyLink/status/1079095167930589184 As far as the cause of the outage is concerned, CenturyLink might post a detailed analysis on the outage later, however this has not been confirmed by CenturyLink yet. As of now,  Brian Krebs, an independent investigative journalist, posted a copy of a notice on his twitter that was sent to CenturyLink’s core customers. The post gives an insight into what the cause could possibly be. https://twitter.com/briankrebs/status/1079135599309791235 The post blames a “card” at CenturyLink’s data center in Colorado for “propagating invalid frame packets across devices”. Therefore, to restore the services, the card had to be removed from the equipment along with secondary communication channel tunnels between specific devices. Additionally, a polling filter had to be applied to adjust the way the packets were being received by the equipment. The outage crippled CenturyLink’s internet, phone, television, and home-security services affecting its customers across several states in the US. Moreover, 911 services were also affected by the outage across several states in the US including Seattle, Washington, Arizona, Minnesota, and Missouri. In this case, the outage affected only cellular calls to 911, and not landline calls. Emergency alerts were sent to the residents across several states warning them of the outage and an alternate number to 911 was also tweeted out by different police departments. The US Federal Communication Commission (FCC) has launched a public investigation into this outage with FCC chairman, Ajit Pai, calling the outage “completely unacceptable”, and one whose “breadth and duration are particularly troubling”. https://twitter.com/AjitPaiFCC/status/1078678912035684353 “I have spoken with CenturyLink to underscore the urgency of of restoring service immediately. We will continue to monitor this situation closely to ensure that customers’ access to 911 is restored as quickly as possible,” added Pai. At 1:44 UTC on Saturday, the company updated on its status page that “all consumer services impacted by this event, including voice and 911, have been restored”. It took more than two days for CenturyLink to give a green signal about the outage getting resolved. The company updated at 19:49 UTC on Saturday, stating that “the network event experienced by CenturyLink Thursday has been resolved. Services for business and residential customers affected by the event have been restored. CenturyLink knows how important connectivity is to our customers, so we view any disruption as a serious matter and sincerely apologize for any inconvenience that resulted”. For more information, check out CenturyLink’s official page. Worldwide Outage: YouTube, Facebook, and Google Cloud goes down affecting thousands of users GitHub down for a complete day due to failure in its data storage system Fortnite server suffered a minor outage, Epic Games was quick to address the issue

Popular Bitcoin wallet Electrum and Bitcoin Cash wallet Electron Cash are subject to an ongoing phishing attack. The hacker, or hackers, have already got away with over 200 Bitcoin (around $718,000 as of press) and with the attack still ongoing, it is quite possible that they get away with much more. The phishing attack urged wallet users to download and install a malicious software update from an unauthorized GitHub repository, according to ZDNet. The hack began last Friday i.e on December 21, and the vulnerability at the heart of this attack has remained unpatched. The official Electrum blog at GitHub says that the wallet’s admins privately received a screenshot from a German chat room, in response to the issue where new malware was being distributed that disguises itself as the "real" Electrum. Source: GitHub Immediately after investigating the reasons for the error message, they silently made mitigations in 5248613 and 5dc240d; and released Electrum wallet version 3.3.2. The attacker then stopped with the phishing attack, temporarily. Yesterday, one of the electrum developers-SomberNight, announced on GitHub that the attacker has started the malicious activity again.  Electrum wallet admins are taking steps to mitigate its usability for the attacker. Execution of the ongoing phishing attack In order to launch such a major attack, the attacker added tens of malicious servers to the Electrum wallet network. When users of legitimate Electrum wallets initiate a Bitcoin transaction, and if the transaction reaches one of the malicious servers, the servers reply with an error message urging users to download a wallet app update from a malicious website (GitHub repo). If the user clicks the given link, the malicious update gets downloaded following which the app asks the user for a two-factor authentication (2FA) code. However, these 2FA codes are only requested before sending funds, and not at wallet startup. This stealthily obtains users’ 2FA code to steal their funds and transfer them to the attacker's Bitcoin addresses. The major drawback here is that Electrum servers are allowed to trigger popups with custom text inside users' wallets. Steps taken by Electrum admins to create user awareness The developers at Electrum, have updated Electrum the wallet so that whenever an attacker sends a malicious message, the message does not appear like a rich-text-based organized message. Instead, the user receives a non-formatted error that looks more like unreadable code. This alerts the user that the transaction is malicious and not a legitimate one. Following is the screenshot of how the ongoing attack looks in the new Electrum wallet version: Source: GitHub Blockchain reporter says that “The Electrum Development team has identified some 33 malicious Electrum servers, though the total number is suspected to be between 40 and 50.” You can head over to Reddit for more insights on this news. Malicious code in npm ‘event-stream’ package targets a bitcoin wallet and causes 8 million downloads in two months There and back again: Decrypting Bitcoin`s 2017 journey from $1000 to $20000 Bitcoin Core escapes a collapse from a Denial-of-Service vulnerability